Less than 0.5% of online banking clients fall for phishing scams each year, report says

A Trusteer report released today concluded that each year 4,700 out of one million bank customers – less than half of one percentage point of all of a bank’s clients – fall for phishing schemes and compromise their online banking information.

But despite the seemingly small number of successful hoaxes, the monetary losses could range between $2.4 million and $9.4 million annually per one million online banking clients, according to estimates from the Tel Aviv-based browser security company.

Trusteer said the report is the first to offer figures on the success rate of phishing attacks. Phishing is the name given to the tactics criminals use to obtain Internet users’ private data and financial information, often through elaborate e-mail hoaxes.

After collecting data from 10 large U.S. and European banks for a period of three months, Trusteer found that in average 16 attacks per week – approximately 832 a year – pretended to come from each of the banks studied, avoided anti-spam and phishing filters and reached users’ inboxes.

The report concluded that 12.5 out of one million bank customers followed the links in each of those phishing schemes, which means that 10,400 out of a million customers (or 1.04 percent of all of a bank’s clients) are snared into a phishing site every year.

Out of those, almost half – 4,700 out of a million customers, or 0.47 percent of all of a bank’s clients – will be tricked into submitting their online credentials each year, Trusteer said.

The study might be the first to give a real sense of the odds that cyber-criminals are playing and it seems to support the widely-accepted belief among security experts that only a minuscule percentage of online scams pay off. However, with so many phishing schemes out there – more than 90 percent of all e-mail sent is believed to be malicious – even this small fraction has effectively translated into a billion-dollar criminal industry.

Trusteer obtained the numbers by using data collected from its Rapport plug-in, which monitors when clients try to submit personal data to phishing sites and is installed in approximately 3 million computers in the United States and Europe.